1. Field of the Invention
The present invention relates to a key-updating method in a key-insulated cryptosystem, encryption processing method, a key-insulated cryptosystem, and a terminal device used in the key-insulated cryptosystem.
2. Description of the Related Art
Along with progress of so-called information technology (IT), a cryptosystem for carrying out encryption processing of information to be transmitted and received has been widely used in these days.
In such a cryptosystem, there is a problem that security of information to be encrypted cannot be secured when a cryptographic algorithm used for the encryption processing is once analyzed.
However, in reality, rather than the case where the cryptographic algorithm is analyzed, there is a problem that a key used for encryption processing is exposed outside due to carelessness of a user who uses the cryptosystem.
Therefore, to cope with such key exposure, so-called “key-insulated cryptosystem” has been known (see, for example, Y. Dodis, J. Katz, S. Xu and M. Yung, “Key-Insulated Public-Key Cryptosystems”, Proc. of Eurocrypt 2002, Lecture Notes in Computer Science Vol. 2332, 2002, Springer-Verlag, P. 65-82 (hereinafter referred to as “Reference Document 1”), and M. Bellare and A. Palacio, “Protecting against Key Exposure: Strongly Key-Insulated Encryption with Optimal Threshold”, Cryptology ePrint Archive 064, the Internet URL:http://eprint.iacr.org/2002 (hereinafter referred to as “Reference Document 2”). In the key-insulated cryptosystem, it is possible to decrypt information which is encrypted by other users in the key-insulated cryptosystem for a predetermined time period, by using a user decryption key stored in a terminal device connected to a communications network.
In addition, in the key-insulated cryptosystem, “key-updating information” is generated by using “secret information” stored in an external device (for example, an IC card) connected to a terminal device. A user of the terminal device can update the user decryption key used in the terminal device by using the key-updating information.
That is, one of great features in the key-insulated cryptosystem is as follows. Even in a case where some of the user decryption keys, which are applied for a certain time period, are exposed outside, as long as the total number of the exposed decryption keys does not exceed a certain number, the decryption keys, which are applied for a time period other than the time period during which the exposed key is applied, are still unknown to persons and systems other than the user. That is, security in the time period other than the time period, during which the exposed decryption key is applied, is not affected at all.
Here, a specific configurational example of a key-insulated cryptosystem will be briefly described. For example, an update interval of a user decryption key is assumed to be one day, and the key is assumed to be updated for (N−1) times, that is, for N days.
A user (a terminal device) in the key-insulated cryptosystem uses general public-key encryption (for example, RSA encryption and ElGamal encryption) to generate N pairs of a public key and a decryption key ((Pki, Ski)1≦i≦N) and to publish pk=(pki)0≦i≦N as a public key.
In addition, the user (the terminal device) stores dk0=sk0 as an initial decryption key. Furthermore, the decryption key sk=(ski)0≦i≦N is set as a master key hk* (secret information), and the master key hk* is enclosed in an external device (for example, a tamper-proof region in an IC card or the like).
For example, at the j-th time key update, the external device generates key-updating information dj=skj based on the master key hk* and the fact that it is the j-th time key update. The generated key-updating information dj is transmitted to the terminal device connected with a secured communications path.
The user (the terminal device) generates a new decryption key dkj=dj by using the key-updating information dj and erases the previous decryption keys dkj-1 and dj.